SS-SOC2-001A Checklist
SKYE Standard control checklist: mandatory domains + applicable modules, with status tracking and export.
Fill system details first. Then mark every control as β Done, π‘ Partial, β Not Implemented, or N/A. Every β must be remediated with a due date or covered by an approved SS-SOC2-001D exception.
Tip: Use the filter box to find controls fast. Ex: type MFA or access review.
Loadingβ¦
Section 0 β System Identification (Required)
SS-SOC2-001A β Checklist
Interactive checklist. Status saves locally to this device and exports as JSON.
1 β Identity & Access Control (SS-IAM) (Mandatory)
1.1 β MFA enforced for all privileged accounts (admin, cloud consoles, DB, CI/CD).
1.2 β No shared privileged accounts; named accounts only.
1.3 β RBAC defined for application and infrastructure.
1.4 β Least privilege implemented (no broad owner roles without justification).
1.5 β Joiner/Mover/Leaver process documented and used.
1.6 β Offboarding SLA defined and met (same-day target for privileged access).
1.7 β Access reviews completed on required cadence (quarterly minimum; monthly high-risk).
1.8 β Break-glass access exists, is logged, and reviewed.
1.9 β API keys/tokens are scoped and rotated; no uncontrolled long-lived secrets.
1.10 β Service accounts are limited, monitored, and reviewed.
2 β Change Management (SS-CHG) (Mandatory)
2.1 β All production changes tracked (PR/ticket required).
2.2 β Approvals required for production changes (defined approver role).
2.3 β Separation of duties for sensitive changes (when feasible).
2.4 β CI checks enforced (lint/test/build; dependency scan where applicable).
2.5 β Deployment logs retained and searchable.
2.6 β Rollback plan exists for production releases.
2.7 β Emergency changes process exists and is audited.
2.8 β Infrastructure changes are version-controlled (IaC or traceable equivalent).
3 β Logging, Monitoring, Alerting (SS-OBS) (Mandatory)
3.1 β Centralized logging enabled for auth, admin actions, and application events.
3.2 β Audit logs enabled for cloud provider / identity provider / database.
3.3 β Alerts configured for auth anomalies (brute force, impossible travel, suspicious admin actions).
3.4 β Alerts configured for availability and error rate thresholds.
3.5 β Log retention configured per risk (minimum policy specified and enforced).
3.6 β Time synchronization enabled (NTP) to ensure reliable timestamps.
3.7 β Access to logs restricted and reviewed.
3.8 β Evidence of alert testing exists (at least quarterly).
4 β Vulnerability & Patch Management (SS-VULN) (Mandatory)
4.1 β Dependency scanning enabled (SCA).
4.2 β Vulnerability triage process defined (severity, owner, SLA).
4.3 β Patch SLAs defined and met (example: Critical 7d, High 14d, Medium 30d, Low 90d).
4.4 β OS/container/base image patching documented and executed on cadence.
4.5 β Periodic vulnerability scans performed (cadence defined).
4.6 β Remediation tickets tracked to closure (no silent backlog).
4.7 β Secrets scanning enabled for repositories and build pipelines.
5 β Incident Response (SS-IR) (Mandatory)
5.1 β Incident severity levels defined (SEV scale).
5.2 β On-call/escalation path defined and current.
5.3 β Incident response runbook exists and is accessible.
5.4 β Tabletop exercise performed at least annually (quarterly for high-risk).
5.5 β Post-incident review process exists (root cause + corrective actions).
5.6 β Incident logs/tickets retained and searchable.
5.7 β Client notification criteria documented (if applicable).
6 β Data Protection & Secrets (SS-DATA) (Mandatory)
6.1 β TLS enforced for all external traffic; internal encryption where feasible.
6.2 β Encryption-at-rest enabled for databases and object storage (where supported).
6.3 β Secrets stored in approved secret manager / env vars; never committed to code.
6.4 β Secret rotation policy defined and followed.
6.5 β Data classification policy applied to system datasets.
6.6 β Data retention + deletion policy implemented.
6.7 β Backups are encrypted and access-controlled.
6.8 β Data access is logged for sensitive datasets.
7 β Vendor & Third-Party Risk (SS-VEND) (Mandatory)
7.1 β Vendor inventory maintained for critical vendors (cloud, auth, DB, payments, email).
7.2 β Vendor access is least-privilege and reviewed.
7.3 β Security attestations collected when available (SOC reports for critical vendors).
7.4 β Subprocessor list maintained (if handling customer data).
7.5 β Contractual security requirements tracked (SLAs, breach notice terms).
8 β Availability & Disaster Recovery (SS-AVL) (Required if uptime promised / critical)
8.1 β Uptime objective defined (SLO/SLA).
8.2 β Backups scheduled and monitored.
8.3 β Restore test performed at least annually (quarterly for critical).
8.4 β DR plan documented with RTO/RPO targets.
8.5 β Redundancy implemented where required.
8.6 β Capacity monitoring in place.
9 β Confidentiality (SS-CONF) (Required if sensitive business data)
9.1 β Data classification applied and enforced for sensitive datasets.
9.2 β Sensitive data access restricted and reviewed more frequently.
9.3 β DLP controls applied where appropriate (email/storage).
9.4 β Field-level protections used where needed (masking/tokenization).
10 β Processing Integrity (SS-PI) (Required if correctness is contractually important)
10.1 β Input validation + error handling standards defined and used.
10.2 β Reconciliation or audit trails exist for critical transactions.
10.3 β Job/queue retries are safe and monitored.
10.4 β Data integrity checks exist for critical flows.
11 β Privacy (SS-PRIV) (Required if personal data)
11.1 β Privacy notice and data use purpose defined.
11.2 β Data subject request (DSR) process defined (access/delete/export).
11.3 β Data minimization enforced (collect only whatβs needed).
11.4 β Consent handling documented where required.
11.5 β Retention policy aligns with privacy requirements.
12 β AI Add-On Controls (SS-AI) (Required if AI/LLM is used)
12.1 β Model access governed (scoped keys, caps, audit logs).
12.2 β Sensitive data handling rules defined (no secrets in prompts).
12.3 β Output logging for high-impact workflows (redaction where required).
12.4 β Human review for high-risk decisions (when applicable).
12.5 β Prompt/version changes follow change control.
12.6 β Abuse monitoring and rate limiting enabled.
Completion Gate (SKYE Enforcement)
- To reach Level 2: Mandatory sections 1β7 must be β Done or π‘ Partial with remediation due dates; no open β without an approved exception.
- To reach Level 3: Mandatory sections β Done; all applicable modules β Done; evidence complete for the audit period; quarterly reviews current.
